Hi,

Source is my inside Network of VLAN 500 and Destination is on the Internet.

ACE is having default route towards the Internet Firewall.

I m doing redirection of Port 80 and 443 on the ACE. Any traffic 80 and 443 is being redirecting by ACE to the Proxy Server.

I dont want it to be happen on few LAN users when they are trying to access few external websites.

When specific sources of my LAN hitting to 193.x.x.x or any Public Server I want ACE to send it to the next hop instead of

the redirecting to the Proxy or any other load balancing Server.

Hi,

Please send me the relevant configuration here.

Please include the configuration you have done for redirecting clients to proxy as well as the configuration you have done for  the specifc clients for which you don't want redirection.

you can also send me the complete show run output. Just mention the interesting IP's and farms.

Regards,

Kanwal

Hi,

Please see the below configuration.

access-list source_IP line 8 extended permit ip host 192.168.25.89 host 198.xx.xxx.xxx

probe tcp PROBE_HTTPS
  port 443
  interval 15
  passdetect interval 60
  open 1
probe tcp PROBE_TCP
  port 80
  interval 15
  passdetect interval 60
  open 1
probe tcp PROBE_TCP_443
  port 443
  interval 15
  passdetect interval 60
  open 1

parameter-map type http PARAMAP_CASE
  case-insensitive
  no persistence-rebalance

rserver host PLATTS_APP
  ip address 192.168.0.1
  inservice
rserver host RS_BCPR01
  ip address 192.168.200.103
  inservice
rserver host RS_BCPR02
  ip address 192.168.200.104
  inservice

serverfarm host SF_BCPR
  transparent
  probe PROBE_TCP
  rserver RS_BCPR01
    inservice
  rserver RS_BCPR02
    inservice
serverfarm host SF_BCPR_https
  transparent
  probe PROBE_TCP_443
  rserver RS_BCPR01
    inservice
  rserver RS_BCPR02
    inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
  replicate sticky
  serverfarm SF_BCPR

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
  replicate sticky
  serverfarm SF_BCPR_https

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

class-map match-all CM_SF_BCPR
  255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

class-map match-all CM_SF_BCPR_HTTPS
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

policy-map type management first-match PM_ALL
  class CM_ALL
    permit

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE

  class class-default
    forward

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
  class class-default
    sticky-serverfarm STICKY-SOURCE

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
  match GITWLAN source-address 192.168.22.0 255.255.255.0
  class class-default
    forward

policy-map multi-match PM_MAIN_BCPROXY
  class CM_SF_BCPR
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

  class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

service-policy input PM_ALL

interface vlan 300
  service-policy input PM_BYPASS_SOURCE
  service-policy input PM_MAIN_BCPROXY
  no shutdown

Hi,

Please use this class map under policy multi-match call  policy PM_L7_BYPASS_SOURCE under it. I guess that should work fine.

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE

  class class-default
    forward

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

So it should look like this:

policy-map multi-match PM_MAIN_BCPROXY

class CM_BYPASS_SOURCE

loadbalance policy

PM_L7_BYPASS_SOURCE

   class CM_SF_BCPR
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

  class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

And this policy should be used on client side vlan.

Let me know how it goes.

Regards,

Kanwal

Hi,

I applied the configuration but getting error as mention below

loadbalance vip inservice

Error: LB action requires match vip command

I didnt define any VIP and I didnt configure the class-map for VIP as well.

MY current configuration mention below

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE
  class class-default
    forward

policy-map multi-match PM_BYPASS_SOURCE
  class CM_BYPASS_SOURCE

loadbalance vip inservice
Error: LB action requires match vip command

Please assist

Hi,

Please use loadbalance policy . Don't use load vip inservice.

Regards,

Kanwal

Hi,

I tried with the policy name but still getting the same error.

policy-map multi-match PM_BYPASS_SOURCE

class CM_BYPASS_SOURCE

loadbalance policy PM_L7_BYPASS_SOURCE

Error: LB action requires match vip command policy-map multi-match PM_BYPASS_SOURCE

Hi,

hmm.. i am out of office and would test this tomorrow. It seems that loadbalance command will only take effect if you have a corresponding VIP class map which makes sense.

If no one replies till tomorrow, i will update you. If you get an answer then it is great. Let me figure this out in lab.

Regards,

Kanwal

Hi,

Please try this:

class-map match-all BYPASS
  2 match virtual-address 193.0.0.0 any-------------->This is your desired public server on internet

class-map type generic match-all SOURCEL7
  2 match source-address 192.168.25.89 255.255.255.255--->This is your desired source from LAN.

policy-map type loadbalance generic first-match Bypass

  class SOURCEL7

    forward

policy-map multi-match PM_BYPASS_SOURCE

class BYPASS---------------------------------------------------->Should be above 80 and 443 class maps.

loadbalance policy Bypass

loadbalance vip inservice

Try this and let me know please.

Regards,

Kanwal

Hi,

I tried but didnt work for me. I am trying to bypass cisco.com.

Bleow is the configuraiton.

class-map match-all CM_BYPASS_SOURCE
  2 match virtual-address 198.133.219.25 any

class-map type generic match-all CM_BYPASS_USERS
  2 match source-address 192.168.80.89 255.255.255.255

policy-map type loadbalance generic first-match PM_L7_BYPASS_USERS
  class CM_BYPASS_USERS
    forward

policy-map multi-match PM_BYPASS_SOURCE
  class CM_BYPASS_SOURCE
    loadbalance vip inservice
    loadbalance policy PM_L7_BYPASS_USERS

interface vlan 300
 
  service-policy input PM_BYPASS_SOURCE
  service-policy input PM_MAIN_BCPROXY
 

show service-policy PM_BYPASS_SOURCE detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 300
  service-policy: PM_BYPASS_SOURCE
    class: CM_BYPASS_SOURCE
     VIP Address:    Protocol:  Port:
     198.133.219.25  any
      loadbalance:
        L7 loadbalance policy: PM_L7_BYPASS_USERS
        VIP ICMP Reply       : DISABLED
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 0        
        dropped conns    : 0        
        client pkt count : 0         , client byte count: 0                  
        server pkt count : 0         , server byte count: 0                  
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0        
        L7 Loadbalance policy : PM_L7_BYPASS_USERS
          class/match : CM_BYPASS_USERS
            LB action : forward
            hit count        : 0        
            dropped conns    : 0        
            compression      : off
      compression:
        bytes_in  : 0                  
        bytes_out : 0                  
        Compression ratio : 0.00%

One more thing, I need to add more public Destination and more source IP addresses. So I will create the class-map with match any so that I can more IP address.

Please advise.

Hi,

Have you applied this policy to correct interface?

Also, if possible can you send me the complete output of show running-config?

Regards,

Kanwal

Hi,

Please find attached.

Hi,

Appreciate assistance on this configure issue.